As GDPR Looms, Industry Worries

"Politically, it’s very easy for members of the European Parliament or the Commission to state publicly, ‘What we are trying to achieve is to protect the European citizen. It’s a very popular concept. But when you ask them about what are the potential risks for the European economy and job creation in Europe, they become silent. What they want to do is push this text forward and no matter what."

-- Frederico Do Nascimento Costa, EDC

The latest EU dispatch is word the trilogue negotiations over the General Data Protection Regulation (GDPR) will finish by December, and—finally—the EU’s new rules will be unveiled in all their glory. While the anticipated birth date for this much-discussed reform may thrill some, for others it feels more like doomsday than something to celebrate.

That’s because industry has big concerns about what the regulation’s provisions—as they read now in most versions of the four draft texts—would mean for businesses aiming to thrive and compete in the digital economy. And, there’s worry that the push to finish the regulation by year’s end will result in a flawed final product.

Aiming to make their concerns heard by government, industry groups have organized into coalitions; some publishing position papers to be heard, others calling directly on the citizenry to join in and support the cause. But what’s been frustrating, they say, is a lack of transparency in the trilogue process.

“The difficulties are very much about access,” said Frederico Do Nascimento Costa, a consultant at Community Public Affairs, a Brussels-based group that specializes in public affairs campaigning. In 2015, it formed the European Data Coalition (EDC), comprising 19 European companies of all sizes—multinationals like Nokia and Ericssos, small not-for-profits and some in between. It organized to lobby against the aspects of the GDPR its members say are dangerous to their abilities to conduct day-to-day operations, generate revenue and compete in the marketplace.

But the trilogue process is very closed off to outside-government groups, he said, and the EDC's lobbying efforts have been limited to mainly submitting position papers and hoping they’re read.

Specifically, the EDC is worried about burdensome consent requirements on purpose limitation; joint liability of the controller and the processor; rigid and expensive international data transfer processes, and data breach sanctions.

“No one is against sanctions, and they should be used as a deterrent,” Costa said. “But what is proposed is that sanctions are calculated on global turnover, and, for many of our members, their data processing activities account for less than 10 percent of their overall activity. So, if there is a data breach, it’s highly unfair that the calculation is not based on processing but on global turnover.”

Costa said the pervasive narrative from stakeholders both on pan-European and national levels is that the GDPR should be protective of the data subject, but to an extreme.

“It’s a blind goal, without consequence,” he said. “Politically, it’s very easy for members of the European Parliament or the Commission to state publicly, ‘What we are trying to achieve is to protect the European citizen.' It’s a very popular concept. But when you ask them about what are the potential risks for the European economy and job creation in Europe, they become silent. What they want to do is push this text forward and no matter what."

Fueling the fire, he said, is the perceived abuses of the global citizenry by the U.S. government. The Snowden revelations created a deafening chorus in the EU on the need to protect the individual, no matter the cost, or to whom. The invalidation of Safe Harbor recently didn’t help, either.

“The problem we have now with the Safe Harbor agreement being branded invalid by the ECJ, this reinforces the hardliners in Europe,” Costa said.

Sébastien Houzé is secretary general at the Federation of European Direct and Interactive Marketing (FEDMA), a coalition of both government and industry groups. It launched the “Data Now” campaign, which aims to engage the citizenry in urging European government not to pass over-prescriptive law that could cripple innovation.

"When we have the conversation around data protection, we have seen it was driven by the extreme,” he said. “On the one hand, you have privacy activists with the nice Snowden stories about NSA spying and hacking and all those frightening stories. On the other hand, you had the right to be forgotten. Just in between, there was nothing."

-- Sébastien Houzé, FEDMA

Houzé agrees with Costa’s assessment that rhetoric is emotionally charged.

“When we have the conversation around data protection, we have seen it was driven by the extreme,” he said. “On the one hand, you have privacy activists with the nice Snowden stories about NSA spying and hacking and all those frightening stories. On the other hand, you had the right to be forgotten. Just in between, there was nothing.”

But European Digital Rights (EDRi), a Brussels-based coalition comprising 31 civil rights groups, is worried that lobbying efforts will result in the undermining of basic data hygiene rules, including those that have already existed in a most basic form since the 1995 Directive.

“There are efforts to undermine every core principle, things like data minimization are being attacked as being contrary to economic interest and the good of the economy,” said Joe McNamee, executive director of EDRi. “Which is utter nonsense, because things like data minimization are already in the law, and no one has died, to my knowledge.”

He points to the Allegro Group, which offers e-commerce services and recently released a series of three YouTube videos, one of which warned viewers that the pending GDPR is so prescriptive citizens would no longer be allowed to send flowers to one another because the recipient wouldn’t have consented to their personal data being used for the transaction.

“The arguments being used are increasingly wild,” he said. “The good thing about the latest round of lobbying is that it’s blatantly ridiculous, which is helpful.”

FEDMA's Data Now campaign asks for a principles-based, risk-based, technology-neutral regulation. Its basic premise: data isn't the devil. In fact, it can do amazing things if you let it.

“This is scary, I mean, citizens are scared,” Houzé said. “The only thing they know is about NSA and Snowden … And then in some cases they see things happening on their computer and they don’t know why this is happening. In our industry, we have a lot of work to do on education and information. We are a respect-based industry. That’s why, in some cases, I’m shocked to see negative comments that we don’t respect privacy,” he said.

Costa agreed. He said a lot of the trouble in being heard and considered legislatively is the result of misconceptions.

“There’s a prejudice against industry, which is that we are all in favor of lowering the standard; that we are simply playing to the tune of American companies,” Costa said. “But that’s not the case.”

Houzé said another impediment to being heard is legislators’ misunderstanding or ignorance of the technology and how it’s used.

“The business model of today is driven by tech in some cases,” he said. “They should see technology as a medium and not as an enemy. And this is the misunderstanding, I think. In some cases, it’s as if they believe all the things based on technology are spying on us. But it’s a minority of bad guys, and we don’t represent the bad guys. We represent the marketing good guys.”

Costa said the European Commission has tried to create a narrative that industry is supportive of GDPR proposals, but, “if you track and review all the position papers, all the statements of European associations, none of them are supportive of the current drafts.”

He fears, regardless of widespread disapproval and concern at the industry level, there’s so much pressure on the government to deliver something by year’s end, it may be too late to effect real change.

The timetable “seems to be the guiding principle, the most important objective, rather than the quality of the text,” he said.

But, he added, it’s not that industry believes the solution is to go back the drawing board. Of all the drafts put forth so far, it favors the council's and can only hope the final version of the GDPR closely resembles that version.

“What we are proposing is, while there are good suggestions on the table, we just have to find the right combination, and then the outcome would be a balanced text,” he said.

Houzé is similarly optimistic. For its part, FEDMA is in the process of drafting a code of conduct—the culmination of a two-year endeavor involving stakeholders. It has presented the code to Parliament and hopes the government will consider the possibility of a sort of hybrid of industry self-regulation and law to be a viable option.

“As an industry, what can we do? Sit and wait? Or work on it?” he said. “At FEDMA, we have decided to work on it.”

EDRi’s McNamee said the potential for self-regulation’s success depends on the lowest common denominator.

“If you have a baseline with regard to consent, data minimization, all the key points, then there’s never anything stopping industry from developing codes and transparency showing they are respecting citizens’ rights,” he said. “But when you don’t have a baseline, then you have a problem. Unfortunately, history shows very very clearly and repeatedly that data protection is simply very conducive to effectively functioning self-regulation. It has never worked. You see that in the Safe Harbor agreement and the various abuses that have been documented there.”

For now, industry is waiting with baited breath to find out if the government has or has not heard its concerns. It's anyone guess at this point as to whether it has.

Comments

Related Stories

As the long-awaited proposed General Data Protection Regulation (GDPR) winds its way through the trilogue process, there have been some questions about the fate of Binding Corporate Rules for Processors (BCR-P). The Article 29 Working Party even expressed concerns “about the deletion of the possibil...

Media Post reports on how the General Data Protection Regulation (GDPR) may not only mandate breach notification but also increase fines “from tens of thousands to a one-million-euro punishment or five percent of global annual turnover, whichever is greater,” putting a new degree of urgency in the w...

In an interview with Computing, UK Information Commissioner Christopher Graham discusses the EU General Data Protection Regulation (GDPR). Graham contrasts his office's enforcement capabilities with those of the U.S. Federal Trade Commission (FTC), which he says can impose "eye-watering fines, which...

In this post for Privacy Perspectives, Pinsent Masons Consultant Lawyer Kuan Hon warns, “Service providers, be afraid. Be very afraid. Especially—but not only—if you're an IaaS/PaaS cloud provider.” She is referring to the coming of the General Data Protection Regulation and the new obli...

In a meeting of the EU Parliament’s Civil Liberties Committee (LIBE) yesterday, Vice Chair Jan Philipp Albrecht, Green MEP and Rapporteur to the General Data Protection Regulation, provided a report on the trilogue negotiations around the GDPR.
Chapter V is done, he said, and chapters II, III, and ...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.